Modern Email Security Enhancements (SPF,DKIM,DMARC)

Why now….

I’ve been spending some time enhancing our own internal email security posture lately and I quickly realized that I was not as well informed as I thought. I decided that I was going to embark on a quest to really lock down our email systems as best as I could. Below is information that I think will help our clients out there, and as always if you need some help our services team is here to lend a hand.

Email looks the same - What’s changed?

First let me start by saying there have actually been a pretty good amount of email security improvements over the past few years. I’m going to divide my post into simple and free enhancements, then towards the end we’ll talk about services you can use that can help automate or improve upon this tech. Some of these ideas have been around for years, but largely we haven’t seen many customers do much of this real simple stuff, to lock down their mail, and prevent it from being captured by Junk/Spam filters/folders.

Simple and Free

There are a few things you can do that are really quick, simple and free. These items will lead to a decrease in your mail being falsely categorized as SPAM or Junk. These items can also help to increase the receivers awareness of the validity of your email.

SPF DNS Record

First up is the SPF record, and unless you are using office 365 you may not know what this is. Office 365 makes this a mandatory setting while setting up your tenant, so if you use O365 you probably have done this. Even if you’ve set it up pay attention, because if you use services like Mimecast, Barracuda or Proofpoint you may be doing it wrong.

SPF stands for Sender Policy Framework. In real simple terms it’s a DNS record that you create in your public DNS (Think Godaddy, Network Solutions, etc.). Inside of this record you specify what hostnames, domains, or IP addresses that are allowed to send mail from your domain. In our case it’s snowcaptech.com. I will share our configuration because it’s in our public DNS and it’s perfectly accessible from the outside world. It’s pretty obvious to state that your email service should be included in this, but often times you forget that you have mail filtering or a SaaS application that sends mail on your behalf. Services like salesforce or proofpoint may send mail from their services but using your domain name. If you SPF record is not correct then you mail may be categorized as Junk or Spam. Here’s an idea of what your TXT DNS record should look like if you are using office 365

v=spf1 include:spf.protection.outlook.com -all

if you break the record down the v=spf1 is telling DNS that this is an SPF record, the include statement shows what hostname you are including as a valid sender and the -all means that you’ll fail everything else if it doesn’t match anything in the statement. You can have multiple include statements, and it is possible to put IP addresses in there as well. If you want to see what your SPF record looks like right now you can use MXtoolbox or any other DNS utility website.

DKIM

Next up is DKIM, DKIM stands for Domain Keys Identified Mail. DKIM has a pretty simple concept, but implementation can be a little tricky.

image credit: barracudanetworks.com

dkim-operation.png

DKIM basically works like an SSL certificate does on a website. When the mail is generated it is assigned a hash, when the recipient receives the email their email system can inspect the hash and check it against the public key. If they hash matches then the email server knows that nobody has tampered with the mail while in transit. This prevents man in the middle attacks. The tricky part here is how to get the keys sorted out on your email server, and how to present the public key to the outside world. Lucky for us there are ways to do this, as you would imagine with any RFC based method there is a standard. Basically you create a private/public keypair, if you are using office 365 this is already done for you, but you have to enable DKIM in order to use it, it’s not necessarily on by default. Link to O365 to enable https://docs.microsoft.com/en-us/office365/securitycompliance/use-dkim-to-validate-outbound-email

Next you need the public key to share with the world. If you are using your own email server on premise, then you likely have the private and public keys but if you use O365 you need to get them, and this part is a little tricky. It’s actually easiest to use a powershell command to get this, and if you have more than one “Selector” there will be 2 keys to retrieve. By the way best practice is to have 2 selectors and make sure you enter both. Microsoft will rotate between the two selectors on a regular basis so you don’t want to not have the keys available. The powershell code is in the link above for the DKIM setup.

In order for all this to work right, you also need to publish CNAME records for the “Selectors”. The selectors are the hosts that hold the keys for people to query against, and Microsoft generates 2 selectors for your domain name if you are using O365. If you use private email you’ll have to host them another way. After that is all complete you’ll need to have your email server check for DKIM, and you can decide what to do if the message fails DKIM. We use Barracuda Email Security Service internally. This scans our inbound and outbound mail for us, it’s fully compatible with Office 365. We do not block DKIM failures we only quarrantine them at this point in time, because there are simply too many mis-configured DKIM deployments out there. I would prefer that my users have the opportunity to take a look at the message in quarantine and decide if it looks legit or not. Putting in the quarantine at least highlights that it’s suspicious, so our users use extra care when evaluating those messages.

DMARC

Last but not least, is DMARC. DMARC stands for Domain-based Message Authentication, Reporting and Conformance. Which is a big long set of words that means this protocol will protect your email from being spoofed. We live in a day that most of the cybersecurity threats come in through email phishing attacks. I’m not going to get into detail on what phishing is, because I think most people sort of understand it now. In basic terms it’s when somebody sends an email to a user impersonating somebody else to trick them into giving up information. DMARC combines information from SPF and DKIM to correlate information and decide if something looks correct. Again DMARC is implemented using TXT records in Public DNS. Below is an example of what a demarc record would look like if you were just getting started

v=DMARC1; p=none; fo=1;

To break the record down v=DEMARC1 tells everyone that this TXT record is a DMARC record. The p=none shows that we aren’t applying a policy, we could also specify quarantine or reject here to take the respective action if dmarc fails. lastly is the fo=1 section which specifies the level of forensic reporting. The RFC specifies the options and what their values are, but this is the most common setting when you are getting started. It allows you to start evaluating demarc without blocking anything and formulate a good process based on the results. With our barracuda email security essentials subscription we can use their Sentinel product to review our dmarc reporting results and make recommendations based on results.

Enhancements

I would strongly consider using a tool to process your mail flows and further enhance your security. Take a look at the barracuda essentials suite if you are an Office 365 user it’s especially awesome. They can do your inbound/outbound mail filtering, they can integrate with DKIM, SPF, and DMARC. They provide AI based protection of all user mailboxes for viruses and ATP threats. They can also spool your mail if your mail service goes down, then deliver when it is back up agian. Also included in the suite is cloud to cloud backup of mail, sharepoint, and onedrive. It’s really a great bundle with lots of value and intelligence into your data and mail traffic. Last but what certainly could be the best part is they include a product called Phishline, which has videos and training for users to help them spot bogus email. Phishline can also do simulated phishing attacks to see if your users are paying attention, it creates fake scams to see if users will click on the phishing attempts. It can be a great tool to evaluate the effectiveness of training, and prove you are meeting goals. It’s a fully cloud based service sold as a subscription per active user. Contact us if you need any help with sorting all of this out, we’d be happy to help.

-Brad